LJ Preface

I recently wrestled with something, learned quite a lot, and came up with a document that I'm really rather proud of, that
shares knowledge that's not all out there in one place anywhere else. Along the way I've written some software that I'm
releasing, that makes all of what I've learned a lot easier, and may help make the world a little more secure. I'd like to
share it here.

This is going to be a technical post. For that I apologize. The target of this post is anyone who has a GPG key that they'd
like to expand to a greater audience, and who controls DNS for any of the email domains they publish. Anyone that I host DNS
or mail for is also welcome to do this, if you use PGP, as part of the goal of writing this is to encourage adoption and use
of these methods

The complete guide to publishing PGP keys in DNS

Introduction

Publishing PGP keys is a pain. There are many disjoint keyservers, three or four networks of which, which do (or don't)
share information with each other. Some are corporate, some are private. And it's a crapshoot as to whose key is going to
be on which, or worse, which will have the latest copy of a person's key.

For a long time, GPG has had a way to publish keys in DNS, but it hasn't been well documented. This document hopes to change that.

After reading this, you should:

Know the three ways to publish a key

Have at least a couple tools to do so

Have learned a bit more about DNS

The target audience for this post is a technical one. It's expected you understand what DNS is, and what an RFC and a
resource record is.

There are three ways to publish a PGP key in DNS. Most modern versions of GPG can retrieve from all three, although it's
not enabled by default. There are no compile-time options you need to enable it, and it's simple to turn on. Of the three
key-publishing methods, there are two that you can't use at the same time, and there are advantages and disadvantages to
each.

Advantages to DNS publishing of your keys

It's universal. Your DNS is your own, and you don't have to worry about which network of vastly-disconnected
keyservers is caching your key.

Using DNS does not stop you from publishing via other means.

If you run an organization, you can easily publish all your employee-keys via this method, and in the same step,
define a signing-policy, such that a person need only assign trust to your organization's "keysigning key" (or the
CEO's key, or the CTO's), without the trouble of running a keyserver.

DNSSEC can be used as an additional trust-path vector.

You do not have to be searching DNS for keys in order to publish. On the same note, you do not have to be publishing in this manner to search for
others there.

Disadvantages to DNS publishing

If you don't control your own DNS (or have a good relationship with your DNS admin), this isn't going to be
as easy or even possible. Ideally, you want to be running BIND.

With two of the three methods listed here, you're going to need to be able to put a CERT record into your DNS. Most
web-enabled DNS tools probably will not give you this ability. The third uses TXT records, which SPF has caused to be
fairly universal in web-interfaces. However, it's also the least standards-defined of the three.

Using at least some of these methods, it's not always a "set it and forget it" procedure. You may need to
periodically re-export your key and re-publish it, especially if you gain new signatures.

Using some of these methods, you're going to be putting some pretty large, pretty unwiedly lines in your DNS zones.
Not everyone will easily be able to retrieve them, but again, you can still publish other ways.

Using some of these methods, DNS is just a means to an end: you still need to publish your key elsewhere, like a webpage,
and the DNS records just point at it.

Initial verifications of most of these seem to imply that only DSA keys are supported, although I welcome feedback. It
seems the community is trying to get RSA keys to make a comeback. They're the only type supported by the gpg2.0 card, and
they are the default keytype. There was a while where they weren't, though. Since writing this document, I've discovered
that "new" RSA keys work, but ancient RSA keys with no subkeys tend to misbehave.

Turning on key-fetching via DNS

auto-key-locate cert pka (as well as other methods, like keyserver URLs)

Don't be surprised if a lot of people don't use this method.

Note that you can also turn on two options during signature verification. They are specified in a "verify-options" clause
in your config file, or on the command line, and they are (right from the GPG manpage):

pka-lookups
Enable PKA lookups to verify sender addresses. Note that
PKA is based on DNS, and so enabling this option may dis-
close information on when and what signatures are veri-
fied or to whom data is encrypted. This is similar to the
"web bug" described for the auto-key-retrieve feature.

And:

pka-trust-increase
Raise the trust in a signature to full if the signature
passes PKA validation. This option is only meaningful if
pka-lookups is set.

You can also use the same options on the command line (as you'll see in this document).

Types of PGP Key Records

DNS PKA Records

Relevant RFCs: None that I can find.
Other Docs: The GPG source and mailing lists.

Advantages

It's a TXT record. Easy to put in a zonefile with most management software.

No special tools required to generate, just three simple pieces of data.

Since it uses a special subzone, you can manage the _pka namespace in a separate zonefile.

GPG has an option, when verifying a signature, to look up these records (--verify-options pka-lookups), so it's doubly
useful, both from a distribution and a verification point.

Disadvantages

As with IPGP certs, you're at the mercy of the URL. This doesn't put your key in DNS, just the location of it, and
the fingerprint. Some clients may not be able to support https or http 1.1.

We'll take this in several parts. The record label is simply the email address with "._pka." replacing the "@".
danm@prime.gushi.org becomes danm._pka.prime.gushi.org. Don't forget the trailing dot, if you're using the fully
qualified name. I recommend sticking with fully-qualified, for simplicity.

The body of the record is also simple. The v portion is just a version. There's only one version as far as I can
tell, 'pka1'. The fpr is the fingerprint, with all whitespace stripped, and in uppercase. The uri is the location a
key can be retrieved from. All the "names" are lowercase, separated by semicolons.

Publish the above record in your DNS. Bump your serial number and reload your nameserver. If you're using DNSSEC,
re-sign your zone.

Testing

Most of the tests we're going to do for these are essentially the same activity. See if our DNS server is handing out
an answer, and then see if GPG can retrieve it.

The /tmp/gpg-$$ creates a random file named after your PID. What you should see, and what I see, is something like this:

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: keyring `/tmp/gpg-39996' created
gpg: requesting key 624BB249 from http server prime.gushi.org
gpg: key 624BB249: public key "Daniel P. Mahoney <danm@prime.gushi.org>" imported
gpg: public key of ultimately trusted key CF45887D not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
gpg: automatically retrieved `danm@prime.gushi.org' via PKA
gpg: DE20C529: There is no assurance this key belongs to the named user
pub 2048g/DE20C529 2000-10-02 Daniel P. Mahoney <danm@prime.gushi.org>
Primary key fingerprint: C206 3054 5492 95F3 3490 37FF FBBE 5A30 624B B249
Subkey fingerprint: CE40 B786 81E2 5CB9 F7D3 1318 9488 EB58 DE20 C529
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (FreeBSD)
hQIOA5SI61jeIMUpEAf/UotgWP8VQC9VTY36HaZeXO1CTFk90x0qlPrAhJk9YaoA
2eHNKZSoHKqaLjzTbaWnWHnNZu0IllIS+qrAwNeIAhswfzDoc8Q9+/4sGSR3LmxA
8SEwrJIvLmGVbqJEtnH8TTHIEao/lpL/d+ul4nLfbXRn0NW+MsaCAi8UsjbLlJeV
n4p0GQlpDoZCE55DTwMzfWMT84YVwuXTesuN+i7sSyJn2hT1rXuK1BCVcsgTcKdy
QhIo3EfKBlfFp74yiU7QCmlAujD6U6a93mmxezPIHVx/WGXgPExVRGgEzfT/tUcI
IQ2xMDUv4BF05hgm04GPGCbBY431j4UkdWWI6bvMLwgA2i01NmflH/6Z8+ss6J1M
e3RWnR7TPl5lDkXFBtLGAzO+HrsC5A32SbkTw+WsljCQLifJ2EalfoJ1QGY4Sp3v
H2YunwZLVPTc+D2JnrXfqNmi5zYZio8by3c8L0CgWdMwZ7PPxZpTOLN77/MIjBkJ
EBb8Z6SZCgzTIhN5z56ZgWFvmSKf1vKkeUcrgxMs+DnA+XqBMJ9w520JwoTLjJza
syrlYVhd+ktY21DYB9OJ5MZx2HMAtkUDRAzW1zoLcehk1kdZNzhpjU5hqSjT8/GN
trKFeqkmKemrq2GvMNyJyrEOB8e7KgbmXa95YKH0Wh2D4SWpXukegyCspmY4tDE+
uckaFSao+48g8D6vs1irGSxBRjyhD/jPDblrgpo=
=NbgW
-----END PGP MESSAGE-----
%
The "insecure memory" warning is a silly warning that the only way to turn off is to run GPG setuid root.
You can see in the output that the key comes from PKA.
The "it is NOT certain" warning has nothing to do with the fact that it came from DNS. You will get that warning every
time you use that key (or any gpg key) until you have edited it and assigned ownertrust to it, or until the key is
signed with a trusted signature, either from your personal web of trust, or from a signing service like the pgp.com
directory.

Ask other people to run it for you and send you the resulting blob. You should be able to decrypt it with your private
key.

PGP CERT Records

Advantages

DNS is all you need. You don't have to host the key elsewhere. As a DNS nerd, this strikes me as very cool.

Suprisingly easy to verify with dig, if you have a base64 converter handy (openssl includes one)

Disadvantages

These records can get big. Really big. Especially if you have photo-ids on your keys. You can play with
export-options to shrink it somewhat. Big dns packets may require EDNS, or dns-over-tcp, which not everyone supports,
but support is becoming more widespread as a result of DNSSEC awareness.

Requires the make-dns-cert tool, which isn't built by default.

Requires you to have some control over your actual zonefile. Most control panels won't cut it.

The record type isn't "CERT", it's "TYPE37". This confused me for a while until I discovered
RFC3597 Basically, it's a way that a DNS server can handle a resource
record it doesn't know about, by giving it some special fields like the "#", as well as a length (which is the 1298 you
see there).

The rest of the record is on one line. I wrapped it for the purposes of brevity. If I were using this in a zonefile,
I would need to be careful that I wrapped it on a byte-boundary (every two characters is a byte). If I miss the
boundary, named will refuse to load it, dnssec-signzone won't touch it, etc.

So the thing is ugly and you don't want to touch it. The easiest way to work with it is to drop all that into a file:

Voice of experience: You may want to dial the TTL (which controls how long servers will cache your data) way down on the
record above. It's not hard, just put a number before the TYPE37, with a space, i.e:

danm.prime.gushi.org. 30 TYPE37

This way if it all goes terribly wrong, or you need to make changes, it won't be cached for very long.

If it looks okay, bump your serial number and reload.

Testing

As above, you can dig, but you won't be able to easily read the results:

Now, while you could compare things byte-by-byte here, what I've done as a "casual check" is just pick random strings in
the text and see if they match up. For example, you can see that "reaIsie2" is present in both. They both start with
and end with similar strings. The real test, of course, is to see if GPG recognizes it as a valid key.

By the way, since I use DNSSEC, dnssec-signzone rewrites this record into the proper "presentation format" for me, which
is base64. If you want a similar function, you can use named-compilezone to get some of the same effects.

IPGP CERT Records

IPGP certs are interesting. It's basically the same pieces of infomation that are in the PKA record, as above, except
that it's supported by an RFC. Despite the RFC compliance, I am not sure if any non-gpg client knows to look for
them. However, because it's a DNS cert, make-dns-cert encodes the information in binary, and your DNS server will see
it in base64. So verifying it visually is harder than verifying either of the above.

Advantages

Small, easy-to-transmit records.

Can use the same uri as the PKA record.

Disadvantages

Relies on the URI scheme. I haven't yet been able to get a definitive list of what uri schemes are supported,
although I've seen http and finger. I've also seen reports that unless gpg is compiled against curl, http
1.1 is not supported (what this actually means is that any host that supports SSL will probably work, because of some of the nuances of SSL).

With PGP certs and IPGP certs, GPG will only parse the first key it gets, so if you publish both, and one doesn't
work, there's no failover. I've argued that this should be fixed.

Requires make-dns-cert, which is not built in GPG by default. (But see "A Better Way" below)

Requires publication in your main DNS zone.

Despite being RFC compliant, GPG has additional trust vectors for PKA but not this, despite the fact that they share basically the same information.

Harder to verify with dig.

Howto

Note that some of these steps are redundant. If you're already doing a PKA key, skip to step 5.

As usual, test decryption, etc. You're done. Figure out which of these are useful to you. When someone asks for your
public key, tell them to run the above command instead of mailing it to them.

Look into embracing DNSSEC. With a signed root, there's a good trust-path vector here. Who knows, maybe some day GPG
will be dnssec-aware so it will give more credit to a secure DNS transaction.

A better way

In reading over a lot of these commands, I've come across a few problems with the tools involved. They either require you to assemble large records
by hand, or manipulate huge files.

DNS has also come a long way since these tools were written, and RFCs have solidified that have determined the "presentation format" (i.e. the "master
file format") of what cert records should look like. On top of everything, the make-dns-cert tool is not built by default, and is not present in most
binary distributions (rpm's, apt).

Thus, I took it upon myself to rewrite make-dns-cert as a shell script.

Advantages

Extracts your key for you (takes a keyid as the argument).

Formats all three record types for you, you can pipe it right into your zone file.

Takes email address as an argument, generates record label.

No compiling needed.

Should work with most systems. Requires openssl and sed, a few other standard utilities.

Generates DNS-friendly comments, so repeating tasks are easy to reference.

(Eventually) available as a tarball, or as a paste-and-go script.

Arguments are in logical DNS record order. email address keyid [url]

Generates a cert record without a URI (this is legal per RFC4398)

You can see sample output here, and you can view it [here]
(http://www.gushi.org/make-dns-cert/make-dns-cert.sh.txt). Depending on your MIME settings, you can probably get a download
link if you go here. If you see the script, you can just save-as.

README, Changelog, TODO coming soon.

Other notes

I'm not 100 percent sure (mainly because I haven't tried), but with IPGP cert, and PKA, I believe I could in theory
point at a keyserver directly, for example, specify a uri of
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0307039309C17C5. I'm a bit dubious about the question marks
and equals-signs, or if I might have to uri-encode things. It's something to be tried.

I'm trying to convince the GPG people that this would be much better adopted if the make-dns-cert tool was
built/included by default, or if its function were included in gpg rather than a third-party tool. This is analagous as to how dnssec-keygen is
used to generate SSHFP DNS records.

It doesn't do any actual cryptography, just some binary conversion, so in theory it could be rewritten in pure-perl, so there's nothing to compile.

I've made the argument to the GPG developers that if multiple CERT records are available, all should be tried if one
fails. So far, if multiple exist, only the first received is parsed, and of course, DNS round-robins the answers by
default.

It took me quite a lot of trial and error to realize that there's a difference between "modern" RSA keys, like this:

RFCs

RFC 3597 defines the odd format of the records that make-dns-cert generates, if it
confuses you.

RFC 2538, which was superseded by RFC
4398,
defines the format for a CERT record.

Todo

At least one GPG enthusiast has suggested to me that any tools I write to handle keys should simply be able to insert them
using nsupdate. I don't disagree, but there's a complicated metric there as some of these require manipulation of a site's
main zone, or at the very least, many subzones. In doing this I'd also like to find out a bit about how to do nsupdate with
sig(0) and KEY records, which with the right policies would mean I could do this without touching named.conf. That may be
the subject of a whole other howto.

I need to get the shell script cleaned up a bit more, and generate proper docs, and start tracking it with version control.

I should probably get the gumption up to formally license all this stuff. For right now, I'd declare it under the ISC
License.

About the author

Dan Mahoney is a Systems Admin in the Bay Area, California. In his spare time he enjoys thinking for those brief fleeting
moments what he would do if he had more free time. Keyid 624BB249, or email address danm@prime.gushi.org.